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Abstract 

The full-information model was introduced by Ben-Or and Linial in 1985 to study collective 
coin-flipping: the problem of generating a common bounded-bias bit in a network of n players 
with t = t[n) faults. They showed that the majority protocol, in which each player sends a 
random bit and the output is the majority of the players’ bits, can tolerate t(n) = 0(y/n) 
even in the presence of adaptive corruptions, and they conjectured that this is optimal for such 
adversaries. Lichtenstein, Linial, and Saks proved that the conjecture holds for protocols in 
which each player sends only a single bit. Their result has been the main progress on the 
conjecture during the last 30 years. 

In this work we revisit this question and ask: what about protocols where players can send 
longer messages? Can increased communication allow for a larger fraction of corrupt players? 

We introduce a model of strong adaptive corruptions, in which an adversary sees all messages 
sent by honest parties in any given round and, based on the message content, decides whether 
to corrupt a party (and alter its message or sabotage its delivery) or not. This is in contrast 
to the (classical) adaptive adversary who can corrupt parties only based on past messages, and 
cannot alter messages already sent. 

We prove that any one-round coin-flipping protocol, regardless of message length , can be 
secure against at most 0(y/n) strong adaptive corruptions. Thus, increased message length 
does not help in this setting. 

We then shed light on the connection between adaptive and strongly adaptive adversaries, 
by proving that for any symmetric one-round coin-flipping protocol secure against t adaptive 
corruptions, there is a symmetric one-round coin-flipping protocol secure against t strongly 
adaptive corruptions. Going back to the standard adaptive model, we can now prove that 
any symmetric one-round protocol with arbitrarily long messages can tolerate at most 0(y/n) 
adaptive corruptions. 

At the heart of our results there is a novel use of the Minimax Theorem and a new technique 
for converting any one-round secure protocol with arbitrarily long messages into a secure one 
where each player sends only polylog(n) bits. This technique may be of independent interest. 


1 Introduction 


A collective coin-flipping protocol is one where a set of n players use private randomness to generate 
a common random bit b. Several protocol mo dels ha ve been studied in the literature. In this 
work, we focus on the model of full information [BL851 ] where all parties communicate via a single 


broadcast channel. 
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The challenge is that t = t(n) of the parties may be corrupted and aim to bias the protocol 
outcome (i.e. the “coin”) in a particular direction. We focus on Byzantine faults, where once a party 
is corrupted, the adversary completely controls the party and can send any message on its behalf. 
Two types of Byzantine adversaries have been considered in the literature: static adversaries and 
adaptive adversaries. A static adversary is one that chooses which t players to corrupt before the 
protocol begins. An adaptive adversary is one who may choose which t players to corrupt adaptively, 
as the protocol progresses. 

Collective coin-flipping in the case of static adversaries is well understood (see section [L2P . In 
this work, our focus is on the setting of adaptive adversaries, which has received considerably less 
attention. A collective coin-flipping protocol is said to be secure against t adaptive (resp. static) 
corruptions if for any adaptive adversary corrupting t parties, there is a constant e > 0 such that 
the probability that the protocol outputs 0 (and the probability that the protocol outputs 1) is at 
least e, where the probability is taken over the randomness of the players and the adversary. 

The question we study is: What is the maximum number of adaptive corruptions that a secure 
coin-fl ipping protocol can tolerate? On the positive side, it has been shown by Ben-Or and Linial 


BL85I ] in 1985 that the majority protocol (where each party sends a random bit, and the output 


is equal to the majority of the bits sent), is resilient to Q(y/n) adaptive corruptions. Ben-Or and 
Linial conjectured that this is in fact optimal. 


Conjecture 1.1 f |BL85j ]b Majority is the optimal coin-flipping protocol against adaptive adver¬ 
saries. In particular, any coin-flipping protocol is resilient to at most 0(y/n) adaptive corruptions. 


Shortly thereafter, Lichtenstein, Linial, and Saks [LLS89I ] proved the conjecture for a restricted 
class of protocols: namely, those in whic h each player sends only a single bit. Their result has been 
the main progress on the conjecture of [BL85I ] during the last 30 years. 


1.1 Our contribution 

We first define a new adversarial model of strong adaptive corruptions. Informally, an adversary 
is strongly adaptive if he can corrupt players depending on the content of their messages. More 
precisely, in each round, he can see all the messages that honest players “would” send, and then 
decide which of them to corrupt. This is in contrast to a (traditionally defined) adaptive adversary 
who can, at any point in the protocol, corrupt any player who has not yet spoken based on the 
history of communication, but cannot alter the message of a player who has already spoken. Thus, 
strong adaptive adversaries are more powerful than adaptive adversaries. 

We believe that the notion of strong adaptive security gives rise to a natural and interesting 
new adversarial model in which to study multi-party protocols in general. Indeed, it is a realistic 
concern in many settings that malicious parties may decide to stop or alter messages sent by honest 
players depending on message content, and it is a shortcoming that existing adversarial models fail 
to take such behavior into account. 

We consider our strong adaptive adversarial notion to be closely tied to the notion of a rushing 
adversary in the setting of static corruptions. A rushing static adversary can see the messages that 
the honest players send in each round, before deciding the messages that the corrupted players will 
send in the same round. The intuitive idea of a rushing adversary is that the adversary sees all 
possible information in each round, before making his move. We remark that a notion of “rushing 
adaptive adversary” has been previously proposed in the literature, but such an adversary is weaker 
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than our strong adaptive adversar}0. We argue that our strong adaptive adversary better captures 
the idea that the adversary sees all possibly relevant information in each round, before making his 
move, since in the adaptive setting, the adversary’s strategy must decide not only what messages 
to send, but also which players to corrupt. 


Our main result is that the conjecture of IBL85I ] holds (up to polylogarithmic factors) for any 
one-round coin-flipping protocol in the presence of strong adaptive corruptions. 

Theorem. Any secure one-round coin-flipping protocol II can tolerate at most t = 0(y/n) strong 
adaptive corruptions. 

This is shown by a generic reduction of communication in the protocol: first, we prove that any 
strongly adaptively secure protocol II can be converted to one where players send messages of no 
more than polylogarithmic length, while preserving the number of corruptions that can be tolerated. 
Then, we show that any protocol with messages of polylogarithmic length can be converted to one 
where each player sends only a single bit, at the cost of a polylogarithmic factor in the number 
of corru ptions. Finally, we reach the single-bit setting in which the bound of Lichtenstein et al. 


LLS89] can be applied to obtain the theorem. We believe that our technique of converting any 


protocol into one with short messages is of independent interest and will find other applications. 

Furthermore, we prove that strongly adaptively secure protocols are a more general class of 
protocols than symmetric adaptively secure protocols. A symmetric protocol II is a one that is 
oblivious to the order of its inputs: that is, where for any permutation n : [n] —>• [n] of the players, 
it holds that the protocol outcome II(ri, ..., r n ) = II(r 7r ( 1 ), ..., r^ n \) is the same. 

Theorem. For any symmetric one-round coin-flipping protocol II secure against t = t(n ) adaptive 
corruptions, there is a symmetric one-round coin-flipping protocol IF secure against Q(t) strong 
adaptive corruptions. 

Curiously, this proof makes a novel use of the Minimax Theorem NM44 : Nas50 l| from game 
theory, in order to take any symmetric, adaptively secure protocol and convert it to a new protocol 
which is strongly adaptively secure. This technique views the protocol as a zero-sum game between 
two players Mo and Mi, where Mo wins if the protocol outcome is 0 and Mi wins if the outcome is 
1. We analyze the “minimax strategy” in which the players try to minimize their maximum loss, 
in order to deduce the strong adaptive security of the new protocol. Whereas some prior works 
have made use of game theory in the analysis of (two-party) protocols, this is the first use of these 
game-theoretic concepts in the construction of distributed multiparty protocols. 


Finally, using the above results as stepping stones, we return to the classical conjecture of [BL85I] . 
in the model of adaptive adversaries, and show that the conjecture holds (up to polylogarithmic 
factors) for any symmetric one-round protocol with arbitrarily long messages. 

Theorem. Any secure symmetric one-round coin-flipping protocol II can tolerate at most t = 
0(y/n) adaptive corruptions. 


1 In particular, the “rushing adaptive adversary” from the literature can decide the order in which players send 
messages in a round, and can decide to corrupt a player who has not yet sent a message within a round. However, 
unlike our strong adaptive adversary, this adversary cannot decide to corrupt a player based on the content of the 
message which the player would send if uncorrupted. 
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1.2 Related work 


The full-infor mation model (also known as the perfect information model ) was introduced by Ben- 
Or and Linial BL85| to study the problem of collective coin-flipping when no secret communication 
is possible between honest players. 


In the static setting. Protocols for collective coin-flipping in the presence of static corruptions 
have been constructed in a series of works that variously focus on improving the fault-tolerance, 
round complexity, and/or bias of the output bit. Feige [Fei99l ] gave a protocol that is (<5 165 /2)- 


securqj in the presence of_t_= (1 + <5) • n/2 static corruptions for any constant 0 < <5 < 1. Russell, 


Saks, and Zuckerman [RSZ02i ] then showed that any protocol that is secure in the presence of 
linearly many corruptions must either have at least (1/2 — o(l)) • log*(n) rounds, or communicate 
many bits per round. 

Interestingly, nearly all proposed multi-round protocols for collective coin-flipping first run a 
leader election protocol in which one of the n players is selected as a “leader”, who then outputs a 
bit that is taken as the protocol outcome. We remark that this approach is inherently unsuitable 
for adaptive adversaries, which can always corrupt the leader after he is elected, and thereby surely 
control the protocol outcome. 


In the adaptive setting. The study of coin-flipping protocols has been predominantly in the 
static setting. The problem of adaptively secure coin-flipping was i ntroduced by Ben-Or and Linial 


BL85I ] and further examine d by Lichtenstein, Linial, and Saks [LLS89I] as described in the previous 


section. In addition, Dodis DodOO] proved that through “black-box” reductions from non-adaptive 
coin-flipping, it is not possible tolerate significa ntly more corruptions than the majority protocol. 
The definition of “black-box” used in DodOO ] is rather restricted: it only considers sequential 
composition of non-adaptive coin-flipping protocols, followed by a (non-interactive) function com¬ 
putation on the coin-flips thus obtained. 


An adversarial model bearing some resemb lance to our 

HZlfll ] in the 


In the pairwise-channels setting. 

strong adaptive adversary model was introduced and analyzed by Hirt and Zikas 
pairwise communication channels model, rather than the full-information model. In their model, 
the adversary can corrupt a party P based on some of the messages that P sends within a round, 
then the adversary controls the rest of P’s mess ages in that round (and for future rounds). Unlike 
in our strong adaptive model, the adversary of HZ10 ] cannot “see inside all players’ heads” and 
overwrite arbitrary honest messages based on their content before they are sent. 

Interestingly, a separation has been shown between standard adaptive adversaries and the 


stronger adversaries of Hirt and Zikas: H Z10I ] shows that broadcast is impossib le to ach ieve for 


t > n/2 corruptions in their stronger adversarial model, whereas Garay et al. jOKKZllI ] showed 


that broadcast is achievable for any t < n corruptions in the standard adaptive adversarial model. 


In the computational setting. The problem of generating a shared random bit has also been 
studied in the setting where players are computationally bounded, and in different communication 

2 A coin-flipping protocol is e-secure against t static corruptions if for any static adversary that corrupts up to t 
parties, the probability that the protocol outputs 0 is at least e. 
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network models. Blum [Blu81| introduced the coin-fli pping pro blem in the two-player compu¬ 


tational setting; and Goldreich, Micali, and Wigderson GMW87I ] subsequently showed that it is 
possible to efficiently generate a shared bit with negligible bias, in the presence of static adversaries. 

Another line of work shows that the existence of any coin-flipping protocol for computationally 
bounded players which achieves a sufficiently small bias implies the existence of one-w ay functions. 
The latest result in this line of work, due to Berman, Haitner, and Tentes [BHT14I ]. proves that 
if there exists a two-player coin-flipping protocol that achieves any constant bias, then one-way 
functions exist. 


2 Preliminaries 

We consider coin-flipping protocols in the full-information model (also known as the perfect infor¬ 
mation model), where n computationally unbounded players communicate via a single broadcast 
channel. The network is synchronized between rounds, but is asynchronized within each round 
(that is, there is no guarantee on message ordering within a round, and an adversary can see the 
messages of all honest players in a round before deciding his own messages). 

In this work, we focus on one-round protocols, and we consider protocols that terminate (and 
produce an output) with probability 1. In particular, we focus on coin-flipping protocols, which 
are defined as follows. 

Definition 2.1 (Coin-flipping protocol). A coin-flipping protocol II = {II n } nG p.j is a family of 
protocols where each II n is a n-player protocol which outputs a bit in {0,1}. 

Notation. We write ~ for statistical indistinguishability of distributions. We denote by Pr n (6) 
the probability that an honest execution of II will lead to the outcome b E {0,1}. We denote by 
Pr II, '^(6) the probability that an execution of II in the presence of an adversary A will lead to 
the outcome b E {0,1}. The probability is over the random coins of the honest players and the 
adversary. 

For one-round protocols, we write n n (ri, ..., r n ) to denote the outcome of the protocol II„ when 
each player i sends message rj. (The vector (n,... ,r n ) is a protocol transcript .) 

2.1 Properties of protocols 

Definition 2.2 (Symmetric protocol). A protocol II is symmetric if the outcome of a protocol 
execution is the same no matter how the messages within each round are permuted. In particular, 
a one-round protocol II is symmetric if for all n € N and any permutation n E [n] —>• [n\, 

n n (n,..., r n ) = n n (7V(i),..., r„. (n) ). 

We remark, for completeness, that in the multi-round case, the outcome of a symmetric protocol 
should be unchanged even if different permutations are applied in different rounds. 

Definition 2.3 (Single-bit/multi-bit protocol). A protocol is single-bit if each player sends at most 
one bit over the course of the protocol execution. Similarly, a protocol is m-bit if each player sends 
at most m bits over the course of the protocol execution. More generally, a protocol which is not 
single-bit is called multi-bit. 
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Definition 2.4 (Public-coin protocol). A protocol is public-coin if each honest player broadcasts all 
of the randomness he generates (i.e. his “local coin-flips”), and does not send any other messages. 

2.2 Adversarial models in the literature 

The type of adversary that has been by far the most extensively studied in the coin-flipping lit¬ 
erature is the static adversary, which chooses a subset of players to corrupt before the protocol 
execution begins, and controls the behavior of the corrupt players arbitrarily throughout the pro¬ 
tocol execution. 

A stronger type of adversary is the adaptive adversary, which may choose players to corrupt at 
any point during protocol execution, and controls the behavior of the corrupt players arbitrarily 
from the moment of corruption until protocol termination. 

Definition 2.5 (Adaptive adversary). Within each round, the adversary chooses players one-by- 
one to send their messages; and he can perform corruptions at any point during this process. 

2.3 Security of coin-flipping protocols 

The security of a coin-flipping protocol is usually measured by the extent to which an adversary 
can, by corrupting a subset of parties, bias the protocol outcome towards his desired bit. 

Definition 2.6 (e-security). A coin-flipping protocol II is e-secure against t = t(n) adaptive (or 
static or strong adaptive) corruptions if for all n € N, it holds that for any adaptive (resp. static 
or strong adaptive) adversary A that corrupts at most t = t(n) players, 

min (Pr n "’- 4 (0),Pr IIn ’- 4 (l)) > e. 

We remark that this definition of e-security is sometimes referred to as e-control or e-resilience 
in other works. We next define a secure protocol to be one with “minimal” security properties 
(that is, one where the adversary does not almost always get the outcome he wants). 

Definition 2.7 (Security). A coin-flipping protocol is secure against t = t(n) corruptions if it is 
e-secure against t corruptions for some constant 0 < e < 1. 

In this work, we investigate the maximum proportion of adaptive corruptions that can be 
tolerated by any secure protocol. 

3 Our results 

3.1 Strongly adaptive adversaries 

In this work, we propose a new, stronger adversarial model than those that have been studied thus 
far (see section m , in which the adversary can see all honest players’ messages within any given 
round, and subsequently decide which players to corrupt. That is, he can see all the messages that 
the honest players “would have sent” in a round, and then selectively intercept and alter these 
messages. 

Definition 3.1 (Strong adaptive adversary). Within each round, the adversary sees all the mes¬ 
sages that honest players would have sent, then gets to choose which (if any) of those messages to 
corrupt (i.e. replace with messages of his choice). 
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This notion is an essential tool underlying the proof techniques in our work. Moreover, we 
believe that the notion of strong adaptive security gives rise to a natural and interesting new 
adversarial model in which to study multi-party protocols, which is of independent interest beyond 
the scope of this work. 


3.2 Corruption tolerance in secure coin-flipping protocols 


Our main contributions consist of the following three resul ts, 
progress towards proving the 30-year-old conjecture of BL85I ]. 


These can be viewed as partial 


Theorem 3.2. Any one-round coin-flipping protocol II can be secure against at most t = 0(y/n) 
strong adaptive corruptions. 


Theorem 3.3. For any symmetric one-round coin-flipping protocol II secure against t = t(n ) 
adaptive corruptions, there is a symmetric one-round coin-flipping protocol IT secure against f l(t) 
strong adaptive corruptions. 


Corollary 3.4. Any symmetric one-round coin-flipping protocol II can be secure against at most 
t = 0(y/n) adaptive corruptions. 

In the next sections, we proceed to give detailed proofs of the theorems. 


3.3 Proof of Theorem 13.21 

We begin by recalling the result of Lichtenstein et al. LLS89| which proves that the maximum 


number of adaptive corruptions for any secure single-bit coin-flipping protocol is 0(y/n). Note that 
the majority protocol is the one-round protocol in which each player broadcasts a random bit, and 
the majority of broadcasted bits is taken to be the protocol outcome. 

Theorem 3.5 ( LLS89| ). Any coin-flipping protocol in which each player broadcasts at most one 
bit can be secure against at most t = 0(y / n) corruptions. Moreover, the majority protocol achieves 
this bound. 


Next, we establish some definitions and supporting lemmas. 

Definition 3.6 (Distance between message-vectors). For vectors r,r' € AA n , let dist(r, r') be equal 
to the number of coordinates i € [n] for which r t r(. 

Definition 3.7 (Robust sets). Let II be a one-round coin-flipping protocol in which each player 
sends a message from a message space AA. For any n € N and b € {0,1}, define the set 
Robust 11 ™ (6, t) as follows: 

Robust 11 ™ (b, t) = jr € AA n : Vr' € AA n s.t. dist(r, r') < t, II n (r) = n n (r') = &j . 

Lemma 3.8. Let H be a one-round coin-flipping protocol in which each player sends a random 
message from a message space AA. II is secure against t = t(n ) strong adaptive corruptions if and 
only if there exists a constant 0 < e < 1 such that for all n £ N and each b G {0,1}, 

Pr [fe Robust 11 ™ (6, t)l > e. 
f<-M L J 
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Proof, (“if”) Suppose that there exists a constant 0 < e < 1 such that for all n G N and all 
6 G {0,1}, it holds that 

Pr [r€ Robust 1171 (6, t)] > e. (1) 

rVM" L J 

Let A be any strong adaptive adversary making up to t corruptions. For n-vector of (honest) 
messages r G A4 n , let A(r) G M. n denote the corresponding corrupted message-vector, where up 
to t of the messages have been modified by A. By the definition of the set Robust 11 " (6, t), it holds 
that 


Pr 

rV- J\A n 


[n n (^(r)) = b | r G Robust 11 " (6, f)] = 1. 


Combining equations ([I]) and ((2j), it follows that for each outcome b G {0,1}, 


(2) 


Pr [U n {A(P))=b}>£. 

r<—A / l n 

We have shown that for each b G {0,1}, Pr 11 ” 4 (6) > e, as required. 

(“only if”) Suppose, on the other hand, that there is no constant 0 < e < 1 such that for all 
b G {0,1}, it holds that Pr ?<-M n Robust 11 " (6, t)] = e. That is, there exists some e' = o(l) such 

that for some b G {0,1} and infinitely many values of n G N, it holds that 

Pr [rG Robust 11 " (6, f)l < e' . (3) 

r<-M n L J 


Without loss of generality, let b = 0 be the bit for which equation ([3]) holds. By the definition of 
Robust 11 " (b, t), it holds that for any r ^ Robust 11 " (6, t), there exists a vector ri, a( j G A4 n such that 
dist(r, rbad) < t and II n (r) / If n (rb a d)- In other words, if the honest players’ messages r do not fall 
in Robust 11 " (0, t), then it is possible for a strong adaptive adversary A to force the outcome to be 
1, by doing as follows: 


A(P) 


r if n n (r) = 1 

r b ad if n n (r) = 0 


Note that since dist(r, r^ad) < t, it is always possible for the adversary to change from r to r{ tar j using 
t or fewer corruptions. Moreover, if II n (r) = 0, then it must be that II n {fbad) = 1, by construction 
of r bad . Hence, 


Pr [H n (M(r)) = l 
r<-M n 


r Robust 11 " (0,t)] = 1. 


( 4 ) 


Combining equations (|3]) and ([1]) (for 6 = 0), we obtain: 

Pr [n n (M(r)) = 1] = Pr \r 4 Robust 11 "(0, t)l > 1 — s'. 

r-k—JA 71 r<r- JA n 

Hence, Pr n, " 4 (l) > 1 — e 7 , and so Pr 11, ” /1 (0) < e' = o(l). Therefore, n is not secure against t strong 
adaptive corruptions. The lemma follows. □ 

Since players are computationally unbounded and we consider one-round protocols, we may 
without loss of generality consider public-coin protocol^]: for any one-round protocol n in the 

3 This is without loss of generality: each player can simply send his random coin tosses, and security holds since 
we are in the full-information model. 



full-information model, there is a protocol IT with an identical output distribution (in the presence 
of any adversary), in which honest players send random messages in {0, l} fc for some k = poly(n). 
The following lemma serves as a stepping-stone to our final theorem. 

Lemma 3.9. For any one-round multi-bit coin-flipping protocol II secure against t = t(n ) strong 
adaptive corruptions, and any constant 5 > 0, there is a one-round l-bit coin-flipping protocol IT 
that is secure against t strong adaptive corruptions, where l = 0(log 1+<5 (n)). 

Proof. Without loss of generality, we consider only public-coin protocols, and assume that each 
player sends a message of the same length (say, k = k{n) bits). Let 5 > 0 be any constant, let 
i = 0(log 1+5 (n)), and let t! = 2 e . 

For an t' x n matrix of messages M £ ({0,1 } k Y xn , we define the protocol Ii M as follows: each 
player P* broadcasts a random integer a* •£- [l'], and the protocol outcome is defined by 

n n (fli, • • •, a n ) = n n (M( aiil ),..., 

where Moj) denotes the message at the i th row and j th column of the matrix M. For notational 
convenience, define M(ai,... ,a n ) = (M( ail p ..., M^ an ^). Notice that by construction of the 
protocol II M , it holds that for any message-vector a £ [T] n , 

M(a) £ Robust 11 ™ (b, t) ==> a £ Robust 11 ™* (b, t). (5) 


Suppose each entry of the matrix M is a uniformly random message in {0, l} fc . Note that the 
length of each player’s message in IF U is log(P) = t. We want to show that H M is a secure coin¬ 
flipping protocol against t strong adaptive corruptions, for some M. By Lemma 13.81 it is sufficient 
to show that there exists M £ ({0, l } fc )^' xri SU ch that for all b £ {0,1}, 


Pr 

a-<— [£'] 


n 


a £ Robust 11 ^ (b, t) 


> £, 


( 6 ) 


where 0 < e < 1 is constant. Using implication (|SJ), it actually suffices to prove: 


3M £ ({0, i} fc ) £ ' xn s .t. \/b £ {0,1}, 


Pr 

a<-[£'] n 


M(a) £ Robust 11 ™ (b, t) 


> £• 


( 7 ) 


Suppose the matrix M is chosen uniformly at random. Let a i,... a n be sampled independently 
and uniformly from [l'] n . Since, the number of matrix rows t' = 2°( log is super-polynomial, 

it is overwhelmingly likely that a\,...a n will be composed of distinct elements in [£']. That is, to 
be precise, 

_ [ V (bi) + (*'»/) € N x N» iflijj {a v )jf] > 1 - negl(n). 

Oj\ )...,CLn 

If ai,..., a n are indeed composed of distinct elements, the message-vectors M(ai),..., M(a n ) are 
independent random elements in ({0, l} fc ) n . Thus, 


(M(ai),.. .,M(a n )) « (n,... ,r n ), 


( 8 ) 


when M is a random matrix in ({0, l} fe )^ xn , the (short) message-vectors ai,... ,a n are random in 
\i '] n , and the (long) message-vectors r\,...,r n are random in ({0, l} fc ) n . 
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Since II is a secure coin-flipping protocol, there is a constant 0 < s' < 1 such that for all n G N 
and b G {0,1} and i G [n], 

Pr [rj € Robust 1171 (6, t)l > s'. 

n 

The rest of the proof follows from a series of Chernoff bounds. 

For i G [n] and b G {0,1}, let Z* & be an indicator variable for the event that r,; G Robust 1171 (6, t). 
Since the r, are independent, we apply a Chernoff bound to obtain the following (for all b G {0,1}): 

Pr 

for any constant 0 < e" < e'. 

Let Yifi be an indicator variable for the event that M(Si) G Robust 1171 {b, t). It follows from (|5|) 
and (O that with overwhelming probability over the choice of the random matrix M, it holds for 
all b G {0,1} that 


^2 Zi ’ b <e ' - e " 
ie[n] 


< negl(n), 


(9) 


Pr 

dl ,. ..,CLn 


1 

n 


■ Y, Y i,b < £ '~ £ " 

ie[n] 


< negl(n). 


( 10 ) 


Midi) G Robust 1171 (6, t) . Note that for any 


For b G {0,1}, let denote the probability Pr 5 
given b G {0,1} the variables Yjj, are independently and identically distributed, each taking value 
1 with probability a & and value 0 with probability 1 — a^. By a Chernoff bound, for any constant 
0 < e"' < 1, it holds that (with overwhelming probability over the choice of M): 


Pr 

dl ,... ^dfi 


l 

n 


ie[n] 


> £ 


< negl(n). 


( 11 ) 


From m and m, it follows that with overwhelming probability over the random choice of M, 
for all b G {0,1} and any constant 0 < e" < 1 and 0 < s'" < 1, 

_ Pr [a^ < s' — e" — s'"] < negl(n). 

ai ,...,d-n 


By taking e" + s’" < e?/2, we have that with overwhelming probability over M, it holds that 
ab < e 7 /2 f° r a ll b G {0,1}. Finally, the correspond exactly to the probability expression in (J7|). 
so we have shown statement (O as required. □ 


Having reduced the length of players’ messages to polylog(n) in Lemma 13.91 we now prove 
the following lemma which reduces the required communication even further, so that each player 
sends only one bit. This comes at the cost of a polylogarithmic factor reduction in the number of 
corruptions. 

Before the lemma, we recall the statement of the Chernoff bound. 

Theorem 3.10 (Chernoff bound). Let X\,... ,X n be independent random variables taking values 
in {0,1}, which all have the same expectation fi = EpC]. Then, for every 0 < e < 1, 


Pr 


1 

n 


ie[n] 


> £ 


< 2e~ 2n£2 . 
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Lemma 3.11. For any one-round i-bit coin-flipping protocol II secure against t = t{n ) strong 
adaptive corruptions, there is a one-round single-bit coin-flipping protocol II' that is secure against 
t/i strong adaptive corruptions. 

Proof. Let II be any one-round i-bit coin-flipping protocol secure against t = t{n) strong adaptive 
corruptions. We define our new single-bit protocoO II' as follows, for each n G N: 

n'n.ein,... ,r n .e) = 

n n ((nil • • ■ || re), (n + i||... II r 2 e), ■ ■ ■, (r^-iH+i 11 ... || r n .flj) , 

where the messages r t G {0,1} are bits and || denotes concatenation. Informally speaking, there 
are n groups of i players in the single-bit protocol 11^ «, each of which “corresponds to” a single 
player in the protocol II n . 

We show that II' is secure against t/i corruptions. Let Gi denote the i th group of l players: to 
be precise, Gi = {i ■ l + 1,..., (i + 1) • if). If all of the players in the set Gj are honest, then the i th 
“combined message” (rj.^+i||... ||/’(j + i).^) is distributed identically to an honest message of the i th 
player in the protocol II n . By the construction of the protocol n 7 , it follows that for any b G {0,1} 
and n G N, 


Pr 

r G Robust 11 ™-'? (b, t(n)) 

IV 

T) 

t-S 

r' G Robust Yln (b,t(n)) 

r<-{0,l} n - £ 


r'<-({0,l}*) n 



( 12 ) 


By Lemma [3781 since II is secure against t strong adaptive corruptions, there is a constant 0 < e < 1 
such that for all b G {0,1} and n G N, the right-hand side of inequality (fl2l) is at least e. Hence we 
obtain 


Pr 

r<-{ 0,1}™'? 


r G Robust 11 ™'? (b, t(n)) 


> e. 


It follows (by applying Lemma [3781 again! that n' is secure against t/i strong adaptive corruptions. 

□ 


Finally, we bring together Lemmas 13.91 and 13.111 to prove the theorem. 

Theorem 13.21 Any one-round coin-flipping protocol n can be secure against at most t = 0(y/n) 
strong adaptive corruptions. 

Proof. Suppose, for contradiction, that there exists a one-round coin-flipping protocol n which 
is secure against t corruptions, where t = uj(y/n ■ polylog(n)). Then, by Lemma 13.91 there is an 
Abit one-round coin-flipping protocol n' that is secure against t strong adaptive corruptions, where 
i = polylog(n). By applying Lemma r3.11l to the protocol n', we deduce that there is a single-bit 
one-round coin-flipping protocol n" which is secure against t/i = H(f) strong adaptive corruptions. 
Since a strongly adaptive adversary can perfectly simulate any strategy of an adaptive adversary, it 
follows that n" is secure against Q(t) adaptive corruptions. Since n" is single-bit, this contradicts 
Theorem 13.51 □ 

4 We remark that the protocol IF that we construct does not strictly adhere to Definition 12.11 because IF = 
{n„}„ 6 ^.pj does not define an n-player protocol for every n £ N. We consider this to be a very minor technical detail 
that we bury for clarity of exposition. 
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3.4 Proof of Theorem 13.31 


In this section, we show that for any symmetric one-round coin-flipping protocol secure against t 
adaptive corruptions, there is a one-round coin-flipping protocol secure against Cl(t) corruptions 
by strong adaptive adversaries. That is, one-round strong adaptively secure protocols are a more 
general class than one-round symmetric, adaptively secure protocols. 

Remark. In fact, Theorem 13.31 holds even if the protocol II is just statically secure: the proof does 
not make use of the fact that II is adaptively, rather than statically, secure. Our theorem statement 
refers to II as an adaptively secure protocol because this is exactly what we need in order to obtain 
our final result that any one-round symmetric coin-flipping protocol can be secure against at most 
0(y/n) corruptions. 

The Minimax Theorem - a classic tool in game theory - will be an important tool in our proof. 

The statement of the Minimax Theorem and supporting game-theoretic definitions are given below. 

Definition 3.12 (Two-player strategic game). A two-player finite strategic game T = ((Ti, T 2 ), («i, U 2 )} 
is defined by: for each player i € {1, 2} ; a non-empty set of possible actions Ai and a utility function 
Ui : A^ x A2 —y Hi. 


Definition 3.13 (Zero-sum game). A two-player finite strategic game T = ((Ti, A 2 ), (ui, U 2 )) is 
zero-sum if for any pair of actions a\ € Ai and 02 € A2, it holds that 02) + ^ 2 ( 01 , 02 ) = 0. 


Theorem 3.14 (Minimax NM44 : Nas50( |). Let T 
finite strategic game. Then 


((Ti, 4 . 2 ), (ui, U 2 )) be a zero-sum two-player 


max min U 2 ( 01 , 02 )= min max u\ ( 01 , 02 ), 
a2£A(A2) aiEA(Ai) aiGA(Ai) a2EA(A2) 

where A(Tj) denotes the set of distributions over A{ (in game-theoretic terminology, this corre¬ 
sponds to the set of “mixed strategies” for player i.) 

Theorem 13.31 For any symmetric one-round coin-flipping protocol II secure against t = t(n) 
adaptive corruptions, there is a symmetric one-round coin-flipping protocol IT secure against s = 
t/2 strong adaptive corruptions. 

Proof. Let II be a symmetric one-round coin-flipping protocol secure against t = t(n ) adaptive 
corruptions, and define s(n ) = t{n)/2. We define a new protocol IT = as follows: 

K(n, ...,r n )= min max n„ +2s (d, ..., r n ,r [, ..., r' s , r",..., r") , 

ty>' ty.l <Y>' ' ry' ' 

• 1 »•••>' s • 1 }•••?' s 

where s = s(n ) and honest players in II(, must send messages according to the same distributions 
as in II n+2s . 

Observe that II n+ 2 s is secure against tin + 2s(n)) > t(n ) corruptions. We show that lT n is 
secure against s(n) = t(n)/2 strong adaptive corruptions. 

Case 1. Suppose that the adversary aims to bias the outcome towards 0. By the security of 
n n+ 2 s, there is a constant 0 < e < 1 such that p r IIri + 2s ’- / i(l) > e for any adaptive adversary A that 
corrupts up to t = 2s players. Without loss of generality (since the protocol is symmetric), suppose 
that the adversary corrupts the last 2s players in II ri _|_ 2 S . 
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We say that the honest players’ messages r±,... ,r n “fix” the outcome of H. n + 2 s to be 1 if for 
any possibly malicious messages ri,..., r 2s , it holds that II n+ 2 s(n>. ■ ■, r n , ri, ■ • -, r 2s ) = 1- Then, 
with probability at least e, the honest players’ messages ri,...,r n “fix” the outcome of IT n+ 2 S to 
be 1. (To see this: suppose not. Then there would exist an adversary which could set the corrupt 
messages ri,...,r 2s so that the protocol outcome is 0 with probability 1 — e. But this cannot be, 
since we already established that Pr n?i + 2s >- 4 (l) > g.) 

def 

Define the set i?i = {(n ,... ,r n ) : Vr i,..., f 2s , n„+ 2s (ri,...,r n , n,..., f 2s ) = 1} to consist of 
those honest message-vectors that fix the output of n n+ 2 s to be 1. 

Take any (n,... ,r n ) € R\. We now show that the outcome of 11^ when the honest players 
send messages r\,... ,r n is equal to 1, even in the presence of a strong adaptive adversary A' that 
corrupts up to s players and aims to bias the outcome towards 0. Without loss of generality, 
suppose that A' corrupts the first s players in lT n , and replaces their honest messages r±,... ,r s 
with some maliciously chosen messages r\,... ,f s . In this case, the outcome of 11^ is 

n^(ri, • • • ,r s ,r s +i,... ,r n ) 

= min max n n+2s (r u ... ,r s ,r s+1 ,... ,r n ,r[,... ,r' s ,r", 

> min n n+2s (r 1 ,... 1 r s ,r s+1 ,...,r n ,r[,...,r' s ,r 1 ,...,r s ) 

= min n n+2s (n,..., r n , h, ■ ■ ■, r s , r [,..., r' s ) 

r 1 ,...,r' s 
= 1, 

where the last line follows from the definition of R±, since we started with (n,... ,r n ) G R\. 

We already established that the probability that the honest players’ messages fall in R\ is at 
least e. Thus we deduce that with probability at least e, the outcome of the new protocol 11^ is 
equal to 1, even in the presence of a strong adaptive adversary corrupting s players and aiming to 
bias towards 0. 

Case 2. Suppose instead that the adversary A' aims to bias the outcome towards 1. We 
apply the Minimax Theorem to a zero-sum game where player 1 chooses the messages r[,... ,r' s 
and player 2 chooses the messages r ”,..., r", and player 1 “wins” if the protocol outcome is 0, and 
player 2 wins otherwise. By the Minimax Theorem, 

K(n, ...,r n )= max min n„ +2 s (d, ..., r n , r [,..., r' s ,r '{ ,..., r") . 

Given this new and equivalent definition of II, we can apply exactly the same argument struc¬ 
ture as that given for Case 1 above, to deduce that 

• There is a constant 0 < e' < 1 such that Pr n n+ 2 3 ,^^Q^ _ l —Pr n "+ 2s ’- /l (l) = e' for any adaptive 
A performing up to 2s corruptions, and hence there is a non-empty set 

Ro = {(n, ...,r n ): Wi,... ,r 2s , n n+2s (ri,... ,r n ,ri, ■ ■ ■ ,r 2s ) = 0} , and 

• by the adaptive security of II n+ 2 .s, the messages of honest players will fall in Rq with proba¬ 
bility at least e', and 

• if the honest players’ messages fall in Rq, then the outcome of !!(, is equal to 0, even in the 
presence of a strong adaptive adversary corrupting s players and aiming to bias towards 1. 


...,<) 


(by symmetry) 
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We have established that both outcomes 0 and 1 occur with constant probability in 11^, even in 
the presence of an arbitrary strong adaptive adversary corrupting up to s players. Therefore, 11^ 
is secure against s = t/2 corruptions. □ 

4 Conclusion 

We have introduced a new adversarial model for multi-party protocols and an associated security 
notion, strong adaptive security. We have made use of a novel and widely applicable technique 
for reducing the amount of communication in a protocol, to show that any one-round strongly 
adaptively secure coin-flipping protocol can tolerate at most 0(y / n) corruptions. We believe that 
this work paves the way to a number of little-explored research directions. We highlight some 
interesting questions for future work: 

• To study the extent to which communication can be reduced in protocols in general , and 
to extend our communication-reduction techniques to the settings of multi-round protocols 
and/or adaptive security. 

• To apply the strong adaptive security notion in the context of other types of protocols and 
settings, and to design protocols secure in the presence of strong adaptive adversaries. 

• To consider whether adaptively secure asymmetric coin-flipping protocols can be converted to 
adaptively secure symmetric protocols, in general. This is not known even for the one-round 
case, and the question is moreover of interest since there are known one-round protocols which 
are not symmetric. 

• To exte nd this work to prove (or disprove) the long-open conjecture of Lichtenstein et al. 

LLS89| that any adaptively secure coin-flipping protocol can tolerate at most 0{y/n) cor¬ 
ruptions. 
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